Headline
CVE-2023-27095: hippo4j monitors system information leakage · Issue #1061 · opengoofy/hippo4j
Insecure Permissions vulnerability found in OpenGoofy Hippo4j v.1.4.3 allows attacker toescalate privileges via the AddUser method of the UserController function in Tenant Management module.
ConfigVerifyController for the Tenant Management module of hippo4j. There are information leakage vulnerabilities, unauthorized access vulnerabilities in authority promotion, The vulnerability is the result of check the thread pool modificationApplicationPage method does not to perform the current operation user identity and in the same Controller layer verifyConfigModification method to perform the current operation of the user for authentication , leading to any user can access/hippo4j/v1 / cs/configs/verify/query/application/page interface to retrieve information forms through the access/hippo4j/v1 / cs/configs/verify interface to modify the thread pool audit status
Influence version
hippo4j 1.4.3 (Nov 06, 2022)
Related news
Insecure Permissions vulnerability found in OpenGoofy Hippo4j v.1.4.3 allows attacker toescalate privileges via the AddUser method of the UserController function in Tenant Management module.